wogiflow 1.0.38 → 1.0.40

package/.claude/commands/wogi-compact.md

@@ -49,17 +49,15 @@ When compacting, the system automatically:
 2. Stores summaries at multiple levels (root → sections → details)
 3. Applies relevance decay to older items
 4. Enables on-demand expansion when details are needed later
-5. **Cleans up completed plan files** from `.claude/plans/`
+5. **Cleans up completed plan files** from `~/.claude/plans/`
 
 ### Plan File Cleanup
 
-Compaction automatically cleans up plan files that appear to be complete:
-- Plans with "Complete" in the title
-- Plans containing "can be deleted"
-- Plans with "all completed"
-- Very short/empty plan files
+Compaction automatically cleans up plan files from your home directory (`~/.claude/plans/`) that are explicitly marked as complete:
+- Plans with `# Plan: Complete` in the title
+- Plans containing the explicit marker `This plan can be deleted`
 
-This prevents stale plan files from accumulating and being shown after context restoration.
+Only files with these explicit completion markers are deleted. This prevents stale plan files from accumulating and being shown after context restoration.
 
 ## Format for Context Summary
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "wogiflow",
-  "version": "1.0.38",
+  "version": "1.0.40",
   "description": "AI-powered development workflow management system with multi-model support",
   "main": "lib/index.js",
   "bin": {

package/scripts/flow-context-compact/index.js

@@ -93,9 +93,13 @@ function checkPressure() {
 }
 
 /**
- * Clean up completed plan files from .claude/plans/
- * Plan files that are marked complete or empty are archived or deleted
- * @returns {Object} Cleanup result
+ * Clean up completed plan files from ~/.claude/plans/
+ * Plan files that are explicitly marked complete are deleted.
+ *
+ * Safety: Only deletes files that explicitly contain completion markers.
+ * Path traversal protection: Validates resolved paths stay within plansDir.
+ *
+ * @returns {Object} Cleanup result with cleaned count and file list
  */
 function cleanupPlanFiles() {
   const fs = require('fs');
@@ -112,27 +116,47 @@ function cleanupPlanFiles() {
     return result;
   }
 
+  // Resolve to absolute path for security comparison
+  const realPlansDir = path.resolve(plansDir);
+
   try {
     const files = fs.readdirSync(plansDir);
 
     for (const file of files) {
+      // Only process .md files
       if (!file.endsWith('.md')) continue;
 
+      // Skip files with path separators (potential traversal)
+      if (file.includes('/') || file.includes('\\')) continue;
+
       const filePath = path.join(plansDir, file);
-      let content;
 
+      // Path traversal protection: ensure resolved path is within plansDir
+      const realFilePath = path.resolve(filePath);
+      if (!realFilePath.startsWith(realPlansDir + path.sep) && realFilePath !== realPlansDir) {
+        continue; // Skip files outside target directory
+      }
+
+      // Skip symlinks (security measure)
+      try {
+        const stats = fs.lstatSync(filePath);
+        if (stats.isSymbolicLink()) continue;
+      } catch (err) {
+        continue;
+      }
+
+      let content;
       try {
         content = fs.readFileSync(filePath, 'utf-8');
       } catch (err) {
         continue; // Skip files we can't read
       }
 
-      // Check if plan appears to be complete
+      // Check if plan is EXPLICITLY marked complete
+      // More restrictive patterns to avoid accidental deletion
       const isComplete =
-        /^#\s*Plan:\s*Complete/im.test(content) ||
-        /can be deleted/i.test(content) ||
-        /all.*completed/i.test(content) ||
-        content.trim().length < 100; // Very short/empty plans
+        /^#\s*Plan:\s*Complete/im.test(content) ||  // Title starts with "Plan: Complete"
+        /^This plan (file )?can be deleted\.?$/im.test(content);  // Explicit deletion marker
 
       if (isComplete) {
         try {
@@ -141,11 +165,17 @@ function cleanupPlanFiles() {
           result.files.push(file);
         } catch (err) {
           // Couldn't delete - that's okay
+          if (process.env.DEBUG) {
+            console.error(`[cleanupPlanFiles] Failed to delete ${file}: ${err.message}`);
+          }
         }
       }
     }
   } catch (err) {
     // Error reading plans directory - non-critical
+    if (process.env.DEBUG) {
+      console.error(`[cleanupPlanFiles] Error: ${err.message}`);
+    }
   }
 
   return result;

package/scripts/flow-durable-session.js

@@ -18,7 +18,7 @@
 const fs = require('fs');
 const path = require('path');
 const { execSync } = require('child_process');
-const { getConfig, getProjectRoot, MAX_SESSION_HISTORY, withLock, writeJson, ensureDir } = require('./flow-utils');
+const { getConfig, getProjectRoot, MAX_SESSION_HISTORY, withLock, writeJson, ensureDir, safeJsonParse } = require('./flow-utils');
 const { validateCommand } = require('./flow-workflow');
 const { validatePathWithinProject } = require('./flow-security');
 
@@ -138,7 +138,7 @@ function createDurableSession(taskId, taskType, steps = []) {
  * @param {Array} steps - Array of step definitions
  * @returns {Promise<Object>} Created or existing session
  */
-async function createDurableSessionAsync(taskId, taskType, steps = []) {
+async function createDurableSessionAsync(taskId, taskType, steps = [], options = {}) {
   const sessionPath = getSessionPath();
 
   return withLock(sessionPath, () => {
@@ -152,7 +152,7 @@ async function createDurableSessionAsync(taskId, taskType, steps = []) {
     // Clean up legacy hybrid-session.json if present (migration to v2.0)
     cleanupLegacyHybridSession();
 
-    const session = createSessionObject(taskId, taskType, steps);
+    const session = createSessionObject(taskId, taskType, steps, options);
     saveDurableSession(session);
     return session;
   });
@@ -160,8 +160,13 @@ async function createDurableSessionAsync(taskId, taskType, steps = []) {
 
 /**
  * Create a session object (internal helper)
+ * @param {string} taskId - Task identifier
+ * @param {string} taskType - Type: "task", "loop", "bulk"
+ * @param {Array} steps - Array of step definitions
+ * @param {Object} options - Additional options
+ * @param {Object} options.filesToChange - File scope from spec (create/modify/delete arrays)
  */
-function createSessionObject(taskId, taskType, steps = []) {
+function createSessionObject(taskId, taskType, steps = [], options = {}) {
   return {
     version: SESSION_VERSION,
     sessionId: `sess-${Date.now()}`,
@@ -201,7 +206,10 @@ function createSessionObject(taskId, taskType, steps = []) {
       source: null,        // How queue was created: "bulk", "natural", "manual"
       queuedAt: null,
       completedTasks: []   // Track completed task IDs
-    }
+    },
+
+    // v4.0: File scope for runtime enforcement (from spec's filesToChange)
+    filesToChange: options.filesToChange || null
   };
 }
 
@@ -261,8 +269,8 @@ function loadDurableSession() {
   }
 
   try {
-    const content = fs.readFileSync(sessionPath, 'utf-8');
-    const session = JSON.parse(content);
+    // Use safeJsonParse to prevent prototype pollution
+    const session = safeJsonParse(sessionPath, null);
 
     // Validate session structure
     if (!session || typeof session !== 'object') {
@@ -306,6 +314,16 @@ function loadDurableSession() {
   }
 }
 
+/**
+ * Get file scope from current durable session
+ * Used by scope-gate for runtime enforcement
+ * @returns {Object|null} filesToChange object or null if no scope defined
+ */
+function getSessionFileScope() {
+  const session = loadDurableSession();
+  return session?.filesToChange || null;
+}
+
 /**
  * Save the durable session
  * @param {Object} session - Session to save
@@ -344,11 +362,9 @@ function archiveDurableSession(status = 'completed') {
   let history = [];
 
   if (fs.existsSync(historyPath)) {
-    try {
-      history = JSON.parse(fs.readFileSync(historyPath, 'utf-8'));
-    } catch {
-      history = [];
-    }
+    // Use safeJsonParse to prevent prototype pollution
+    const parsed = safeJsonParse(historyPath, []);
+    history = Array.isArray(parsed) ? parsed : [];
   }
 
   history.push(session);
@@ -964,7 +980,15 @@ function checkFileCondition(config) {
   // If expected content specified, check it
   if (config.expectedContent) {
     try {
-      const content = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+      // Use safeJsonParse to prevent prototype pollution
+      const content = safeJsonParse(filePath, null);
+      if (!content) {
+        return {
+          canResume: false,
+          reason: 'file-parse-error',
+          error: 'Could not parse file content'
+        };
+      }
       const matches = deepEqual(content, config.expectedContent);
 
       if (matches) {
@@ -1184,7 +1208,9 @@ function getSessionStats() {
   }
 
   try {
-    const history = JSON.parse(fs.readFileSync(historyPath, 'utf-8'));
+    // Use safeJsonParse to prevent prototype pollution
+    const parsed = safeJsonParse(historyPath, []);
+    const history = Array.isArray(parsed) ? parsed : [];
     const completed = history.filter(h => h.status === 'completed').length;
     const failed = history.filter(h => h.status === 'failed').length;
     const avgSteps = history.length > 0
@@ -1408,6 +1434,7 @@ module.exports = {
   loadDurableSession,
   saveDurableSession,
   archiveDurableSession,
+  getSessionFileScope,  // v4.0: Get file scope for runtime enforcement
 
   // Step management
   getNextPendingStep,

package/scripts/flow-start.js

@@ -66,6 +66,14 @@ const {
   STEP_STATUS
 } = require('./flow-durable-session');
 
+// Spec loader for scope enforcement (optional - graceful degradation)
+let loadSpec = null;
+try {
+  loadSpec = require('./flow-spec-generator').loadSpec;
+} catch (err) {
+  if (process.env.DEBUG) console.error(`[DEBUG] flow-spec-generator not available: ${err.message}`);
+}
+
 // v3.0 phased task execution (recursive enhancements)
 const {
   initializePhasedTask,
@@ -288,8 +296,29 @@ async function main() {
       const steps = Array.isArray(acceptanceCriteria) ? acceptanceCriteria : [];
       const sessionSteps = steps.length > 0 ? steps : [taskTitle || taskId];
 
+      // v4.0: Load spec to get filesToChange for scope enforcement
+      let filesToChange = null;
+      if (loadSpec) {
+        try {
+          const spec = loadSpec(taskId);
+          if (spec?.sections?.filesToChange) {
+            filesToChange = spec.sections.filesToChange;
+            if (process.env.DEBUG) {
+              const fileCount = (filesToChange.create?.length || 0) +
+                               (filesToChange.modify?.length || 0) +
+                               (filesToChange.delete?.length || 0);
+              console.log(color('dim', `[DEBUG] Loaded scope: ${fileCount} files from spec`));
+            }
+          }
+        } catch (err) {
+          if (process.env.DEBUG) console.error(`[DEBUG] Spec load for scope: ${err.message}`);
+        }
+      }
+
       // Use async version with file locking to prevent race conditions
-      const session = await createDurableSessionAsync(taskId, 'task', sessionSteps);
+      const session = await createDurableSessionAsync(taskId, 'task', sessionSteps, {
+        filesToChange
+      });
 
       if (steps.length > 0) {
         console.log(color('cyan', `📋 Durable session initialized with ${steps.length} steps`));

package/scripts/hooks/core/index.js

@@ -7,6 +7,7 @@
  */
 
 const taskGate = require('./task-gate');
+const scopeGate = require('./scope-gate');
 const validation = require('./validation');
 const loopCheck = require('./loop-check');
 const componentCheck = require('./component-check');
@@ -21,6 +22,10 @@ module.exports = {
   ...taskGate,
   taskGate,
 
+  // Scope Gating (v4.0 - validates edits are within task scope)
+  ...scopeGate,
+  scopeGate,
+
   // Validation
   ...validation,
   validation,

package/scripts/hooks/core/scope-gate.js

@@ -0,0 +1,381 @@
+#!/usr/bin/env node
+
+/**
+ * Wogi Flow - Scope Gate (Core Module)
+ *
+ * v4.0: Runtime scope enforcement for task-work alignment.
+ * Validates that file edits are within the task's declared scope
+ * (from spec's filesToChange).
+ *
+ * This module wraps task-gate and adds scope checking:
+ * 1. First checks if a task is active (via task-gate)
+ * 2. Then checks if the file being edited is in the task's scope
+ * 3. Warns or blocks based on configuration
+ */
+
+const path = require('path');
+
+// Import from parent scripts directory
+const { getConfig, getProjectRoot } = require('../../flow-utils');
+const { checkTaskGate, getActiveTask } = require('./task-gate');
+const { getSessionFileScope } = require('../../flow-durable-session');
+
+/**
+ * Check if scope gating is enabled
+ * @returns {boolean}
+ */
+function isScopeGatingEnabled() {
+  const config = getConfig();
+
+  // Check hooks config
+  if (config.hooks?.rules?.scopeGating?.enabled === false) {
+    return false;
+  }
+
+  // Default to enabled if not explicitly disabled
+  return true;
+}
+
+/**
+ * Get the scope gating mode
+ * @returns {string} 'warn' | 'block'
+ */
+function getScopeGatingMode() {
+  const config = getConfig();
+  return config.hooks?.rules?.scopeGating?.mode || 'warn';
+}
+
+/**
+ * Get exempt patterns from config
+ * @returns {string[]}
+ */
+function getExemptPatterns() {
+  const config = getConfig();
+  return config.hooks?.rules?.scopeGating?.exemptPatterns || [
+    '.workflow/state/**',
+    '.workflow/specs/**',
+    '.workflow/plans/**',
+    'package.json',
+    'tsconfig.json',
+    'package-lock.json'
+  ];
+}
+
+/**
+ * Validate that a path is within the project root (prevents path traversal)
+ * @param {string} filePath - The file path to validate
+ * @returns {boolean} True if path is within project
+ */
+function isPathWithinProject(filePath) {
+  try {
+    const projectRoot = getProjectRoot();
+    const resolvedPath = path.resolve(projectRoot, filePath);
+    return resolvedPath.startsWith(projectRoot + path.sep) || resolvedPath === projectRoot;
+  } catch (_err) {
+    // If we can't resolve, reject for safety
+    return false;
+  }
+}
+
+/**
+ * Check if a file path matches a pattern
+ * Supports:
+ * - Exact paths: 'src/index.ts'
+ * - Directory patterns: 'src/components/**' (recursive)
+ * - Directory patterns: 'src/components/*' (direct children only)
+ *
+ * @param {string} filePath - The file being edited
+ * @param {string} pattern - The pattern to match against
+ * @returns {boolean}
+ */
+function matchesPattern(filePath, pattern) {
+  // Validate inputs
+  if (!filePath || !pattern || typeof filePath !== 'string' || typeof pattern !== 'string') {
+    return false;
+  }
+
+  // Reject path traversal attempts
+  if (pattern.includes('..') || filePath.includes('..')) {
+    return false;
+  }
+
+  // Normalize paths (convert backslashes to forward slashes for consistency)
+  const normalizedFile = path.normalize(filePath).replace(/\\/g, '/');
+  const normalizedPattern = path.normalize(pattern).replace(/\\/g, '/');
+
+  // Validate the file path is within project after normalization
+  if (!isPathWithinProject(normalizedFile)) {
+    return false;
+  }
+
+  // Exact match
+  if (normalizedFile === normalizedPattern) {
+    return true;
+  }
+
+  // Directory pattern (ends with /**) - recursive match
+  if (normalizedPattern.endsWith('/**')) {
+    const dirPrefix = normalizedPattern.slice(0, -3);
+    return normalizedFile.startsWith(dirPrefix + '/') || normalizedFile === dirPrefix;
+  }
+
+  // Directory pattern (ends with /*) - direct children only
+  if (normalizedPattern.endsWith('/*')) {
+    const dirPrefix = normalizedPattern.slice(0, -2);
+    // Only match files directly in the directory, not subdirectories
+    if (!normalizedFile.startsWith(dirPrefix + '/')) {
+      return false;
+    }
+    const relativePath = normalizedFile.slice(dirPrefix.length + 1);
+    return !relativePath.includes('/');
+  }
+
+  // File is within a directory specified as scope (without glob)
+  // e.g., scope "src/utils" matches "src/utils/helper.ts"
+  if (normalizedFile.startsWith(normalizedPattern + '/')) {
+    return true;
+  }
+
+  return false;
+}
+
+/**
+ * Check if a file is in the exempt list
+ * @param {string} filePath - The file being edited
+ * @returns {boolean}
+ */
+function isFileExempt(filePath) {
+  if (!filePath) {
+    return false;
+  }
+
+  const exemptPatterns = getExemptPatterns();
+
+  for (const pattern of exemptPatterns) {
+    if (matchesPattern(filePath, pattern)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Check if a file is within the task's declared scope
+ *
+ * @param {string} filePath - The file being edited
+ * @param {Object} filesToChange - The scope object from spec
+ * @param {Array} filesToChange.create - Files to create
+ * @param {Array} filesToChange.modify - Files to modify (may be objects with .path)
+ * @param {Array} filesToChange.delete - Files to delete
+ * @returns {boolean}
+ */
+function isFileInScope(filePath, filesToChange) {
+  // If no scope object provided, scope gating is disabled for this task
+  if (!filesToChange) {
+    return true;
+  }
+
+  // Extract all file paths from the scope
+  const allFiles = [];
+
+  // Add create files
+  if (Array.isArray(filesToChange.create)) {
+    for (const file of filesToChange.create) {
+      if (typeof file === 'string' && file.length > 0) {
+        allFiles.push(file);
+      }
+    }
+  }
+
+  // Add modify files (may be strings or objects with .path)
+  if (Array.isArray(filesToChange.modify)) {
+    for (const file of filesToChange.modify) {
+      if (typeof file === 'string' && file.length > 0) {
+        allFiles.push(file);
+      } else if (file && typeof file.path === 'string' && file.path.length > 0) {
+        allFiles.push(file.path);
+      }
+    }
+  }
+
+  // Add delete files
+  if (Array.isArray(filesToChange.delete)) {
+    for (const file of filesToChange.delete) {
+      if (typeof file === 'string' && file.length > 0) {
+        allFiles.push(file);
+      }
+    }
+  }
+
+  // If scope is explicitly defined but empty, no changes are allowed
+  // This means the spec declared filesToChange but with no files
+  if (allFiles.length === 0) {
+    return false;
+  }
+
+  // Check if file matches any scope pattern
+  for (const pattern of allFiles) {
+    if (matchesPattern(filePath, pattern)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Generate warning message for out-of-scope edits
+ * @param {string} filePath - The file being edited
+ * @param {Object} task - The active task
+ * @param {Object} filesToChange - The scope object
+ * @returns {string}
+ */
+function generateScopeWarning(filePath, task, filesToChange) {
+  // Defensive: handle missing inputs gracefully
+  if (!filePath || !task || !filesToChange) {
+    return 'Scope warning: File not in task scope (insufficient context for details)';
+  }
+
+  const fileName = path.basename(filePath);
+  const fileCount = (filesToChange.create?.length || 0) +
+                    (filesToChange.modify?.length || 0) +
+                    (filesToChange.delete?.length || 0);
+
+  return `Scope Warning: Editing ${fileName} which is not in task scope.
+Task: ${task.id}${task.title ? ' - ' + task.title : ''}
+Spec defines ${fileCount} file(s) in scope.
+Proceed with caution - this file may not be related to your current task.`;
+}
+
+/**
+ * Generate block message for out-of-scope edits
+ * @param {string} filePath - The file being edited
+ * @param {Object} task - The active task
+ * @param {Object} filesToChange - The scope object
+ * @returns {string}
+ */
+function generateScopeBlockMessage(filePath, task, filesToChange) {
+  // Defensive: handle missing inputs gracefully
+  if (!filePath || !task || !filesToChange) {
+    return 'Scope Violation: Cannot edit file - not in task scope';
+  }
+
+  const fileName = path.basename(filePath);
+
+  // Get first few files from scope for context
+  const scopeFiles = [
+    ...(filesToChange.create || []).slice(0, 2),
+    ...(filesToChange.modify || []).slice(0, 2).map(file => typeof file === 'string' ? file : file?.path)
+  ].filter(Boolean).slice(0, 3);
+
+  return `Scope Violation: Cannot edit ${fileName}
+
+Task: ${task.id}${task.title ? ' - ' + task.title : ''}
+Expected scope includes: ${scopeFiles.join(', ')}${scopeFiles.length >= 3 ? ', ...' : ''}
+
+To proceed:
+1. Update the spec to include this file, OR
+2. Complete current task and start a new one for this file, OR
+3. Set scopeGating.mode to "warn" in config to allow with warning`;
+}
+
+/**
+ * Main scope gate check
+ * Wraps task-gate and adds scope validation
+ *
+ * @param {Object} options
+ * @param {string} options.filePath - Path being edited/written
+ * @param {string} options.operation - 'edit' or 'write'
+ * @returns {Object} Result: { allowed, blocked, message, warning, task, scopeChecked, inScope }
+ */
+function checkScopeGate(options = {}) {
+  const { filePath } = options;
+
+  // First, run the normal task gate
+  const taskResult = checkTaskGate(options);
+
+  // If task gate blocked, return that result (no task active)
+  if (taskResult.blocked) {
+    return taskResult;
+  }
+
+  // Check if scope gating is enabled
+  if (!isScopeGatingEnabled()) {
+    return { ...taskResult, scopeChecked: false, reason: 'scope_gating_disabled' };
+  }
+
+  // Check if file is exempt
+  if (filePath && isFileExempt(filePath)) {
+    return { ...taskResult, scopeChecked: true, inScope: true, reason: 'file_exempt' };
+  }
+
+  // Get the active task
+  const activeTask = taskResult.task || getActiveTask();
+  if (!activeTask) {
+    return { ...taskResult, scopeChecked: false, reason: 'no_active_task' };
+  }
+
+  // Get scope from durable session
+  const filesToChange = getSessionFileScope();
+
+  // If no scope defined (spec didn't have filesToChange), skip scope check
+  // This allows tasks without specs to work normally
+  if (!filesToChange) {
+    if (process.env.DEBUG) {
+      console.log('[scope-gate] No scope defined in session - skipping scope enforcement');
+    }
+    return {
+      ...taskResult,
+      scopeChecked: false,
+      reason: 'no_scope_defined'
+    };
+  }
+
+  // Check if file is in scope
+  const inScope = isFileInScope(filePath, filesToChange);
+
+  if (inScope) {
+    return {
+      ...taskResult,
+      scopeChecked: true,
+      inScope: true,
+      reason: 'in_scope'
+    };
+  }
+
+  // File is NOT in scope - warn or block based on config
+  const mode = getScopeGatingMode();
+
+  if (mode === 'warn') {
+    return {
+      ...taskResult,
+      scopeChecked: true,
+      inScope: false,
+      warning: generateScopeWarning(filePath, activeTask, filesToChange),
+      reason: 'out_of_scope_warning'
+    };
+  }
+
+  // Block mode
+  return {
+    allowed: false,
+    blocked: true,
+    scopeChecked: true,
+    inScope: false,
+    message: generateScopeBlockMessage(filePath, activeTask, filesToChange),
+    reason: 'out_of_scope_blocked'
+  };
+}
+
+module.exports = {
+  checkScopeGate,
+  isFileInScope,
+  isFileExempt,
+  matchesPattern,
+  isScopeGatingEnabled,
+  getScopeGatingMode,
+  isPathWithinProject,
+  generateScopeWarning,
+  generateScopeBlockMessage
+};

package/scripts/hooks/entry/claude-code/pre-tool-use.js

@@ -4,10 +4,12 @@
  * Wogi Flow - Claude Code PreToolUse Hook
  *
  * Called before Edit/Write/TodoWrite tool execution.
- * Enforces task gating, component reuse checking, and TodoWrite gating.
+ * Enforces task gating, scope validation, component reuse checking, and TodoWrite gating.
+ *
+ * v4.0: Added scope gating to validate edits are within task's declared scope
  */
 
-const { checkTaskGate } = require('../../core/task-gate');
+const { checkScopeGate } = require('../../core/scope-gate');
 const { checkComponentReuse } = require('../../core/component-check');
 const { checkTodoWriteGate } = require('../../core/todowrite-gate');
 const { claudeCodeAdapter } = require('../../adapters/claude-code');
@@ -61,14 +63,15 @@ async function main() {
 
     let coreResult = { allowed: true, blocked: false };
 
-    // Task gating check (for Edit and Write)
+    // Task + scope gating check (for Edit and Write)
+    // v4.0: checkScopeGate wraps checkTaskGate and adds scope validation
     if (toolName === 'Edit' || toolName === 'Write') {
-      coreResult = checkTaskGate({
+      coreResult = checkScopeGate({
         filePath,
         operation: toolName.toLowerCase()
       });
 
-      // If blocked by task gating, return early
+      // If blocked by task or scope gating, return early
       if (coreResult.blocked) {
         const output = claudeCodeAdapter.transformResult('PreToolUse', coreResult);
         console.log(JSON.stringify(output));